Security is an extremely important consideration in network communications. With the ever-increasing utilization of the Internet, most networks now have Internet gateways which open them up to external attacks by would-be hackers. Further, the popularity of wireless networks has also increased dramatically as technology has enabled faster and more reliable wireless communications. Yet, wireless communications are inherently less secure than wired communications, since wireless communication signals are typically much easier to intercept than signals on cables which are often difficult to access.
As a result, cryptography is often used to encrypt private or secret communications to reduce the likelihood that they will be deciphered and used by malicious individuals or organizations. By way of example, wireless local area networks (WLANs) and WLAN devices are widely used and provide a convenient and cost-effective approach for implementing network communications where it may be difficult or otherwise impractical to run cables. One of the more prominent standards which has been developed for regulating communications within WLANs is promulgated by the Institute of Electrical and Electronic Engineers' (IEEE) 802 LAN/MAN Standards Committee, which is the 802.11 standard. In addition to providing wireless communications protocols, the 802.11 standard also defines a wireless equivalent privacy (WEP) cryptographic algorithm which is used to protect wireless signals from eavesdropping.
WEP relies on a secret key that is shared between wireless stations and an access point. The secret key is used to encrypt data packets prior to transmission, and an integrity check is used to ensure that packages are not modified during the transmission. Nonetheless, it has recently been discovered that the WEP algorithm is not as immune to external attacks as once believed. For example, in an article entitled “Intercepting mobile communications: The Insecurity of 802.11” by Borisov et al., MOBICOM, Rome, Italy, July 2001, the authors set forth a number of vulnerabilities in WEP. In particular, it was noted that a significant breach of security occurs when two messages are encrypted using a same initialization vector (IV) and secret key, as this can reveal information about both messages.
Moreover, WEP message ciphertext is generated using an exclusive OR operation. By exclusive ORing ciphertext from two messages generated using the same IV, the key streams cancel out and it is then possible to recover the plain text. As such, this key stream re-use is susceptible to a decryption dictionary attack in which a number of messages are stored and compared to find multiple messages generated with a same IV.
As a result, more robust network security is often required for many network applications. One example of a network security device to be connected between a protected client and a network is disclosed in U.S. Pat. No. 6,240,513 to Friedman et al. The network security device negotiates a session key with any other protected client. Then, all communications between the two clients are encrypted. The device is self-configuring and locks itself to the IP address of its client. Thus, the client cannot change its IP address once set and therefore cannot emulate the IP address of another client. When a packet is transmitted from the protected host, the security device translates the MAC address of the client to its own MAC address before transmitting the packet into the network. Packets addressed to the host contain the MAC address of the security device. The security device translates its MAC address to the client's MAC address before transmitting the packet to the client.
Even more robust cryptographic devices may be required to secure sensitive or classified communications. More particularly, in the U.S. the communications of government entities that include sensitive (but unclassified) information must comply with the Federal Information Processing Standards Publication (FIPS) publication 140-2 entitled “Security Requirements For Cryptographic Modules.” Classified communications, which are typically referred to as Type 1 communications, must comply with even stricter standards.
One example of an encryptor which is certified for Type 1 communications is the TACLANE Encryptor KG-175 from General Dynamics Corp. The “classic” version of the TACLANE encryptor has Internet Protocol (IP) and Asynchronous Transfer Mode (ATM) interfaces, and an E100 version has a fast Ethernet interface. The classic version may also be upgraded to fast Internet by replacing the IP/ATM network interface cards therein with two new E100 interface cards.
Despite the security benefits provided by such devices, many of these encryptors are fairly bulky and may consume significant amounts of power. One particularly advantageous cryptographic device which provides both space and power saving features is the Sierra module from Harris Corp., Assignee of the present application. The Sierra module is an embeddable encryption device that combines the advantages of high-grade security (e.g., Type 1) with the cost efficiency of a reprogrammable, commercially produced, FIPS 140-2 level 3 or 4 encryption module. The Sierra module can take on multiple encryption personalities depending on the particular application, providing encryption/decryption functionality, digital voice processing (vocoding) and cryptographic key management support functions. The Sierra module also provides the user with the capability to remove the Type 1 functionality, allowing the device to be downgraded to an unclassified device. Also, because of its relatively small size, low power and high data rates, this device is well-suited for battery sensitive applications.
By way of example, the Sierra module has been implemented in a Secure WLAN (SWLAN) personal computer (PC) card called SecNet 11, which is also produced by Harris Corp. The SecNet 11 card allows rapid communication of multimedia information (data, voice, and video) in a secure environment. The SecNet 11 card may be used as a wireless network interface card for WLAN “stations,” for wireless bridges, and for access point (APs), for example. The SecNet 11 device is more fully described in U.S. published application nos. 2002/0094087 and 2002/0095594, both of which are hereby incorporated herein in their entireties by reference.
Accordingly, the SecNet 11 card provides numerous advantages in terms of size, power requirements, and flexibility in WLAN environments. However, it may be desirable to provide such benefits in other network environments as well.